Re: Unable to ping secondary node on SRX3600 cluster

If we are pinging from the subnet other than fxp0 interface subnet then you cannot ping because routing daemon is not active on secondary node. In order to reach the fxp0 interface of secondary node, you have to define the backup-router configuration like below:

Re: Unable to ping secondary node on SRX3600 cluster

To ensure the standby node has management access when standby, you must configure two items, and really really really should configure a 3rd.

1) Backup router statement . This can go inside 'groups node0' or 'groups node1', but if both management addresses are on the same subnet, it can go with the rest of the system config.

2) ** Unique addresses for each node **, configured with the groups config. Without it, both nodes will have the same IP address and will fight for it, creating MAC conflicts. I like to use the 'master-only' address as well, so I can always reach the active node with one address, but can reach an individual node if I need to. This also gives you the option to specify syslog source-address, if you want the logs seperated by node.

3) You really should create static routes to match your backup-router networks with the 'retain' flag (and I always use 'no-readvertise', too). The backup router statement is only used when the routing-engine is booting and before RPD starts for the first time. If you manually switch a cluster over, the backup-router statement is not reprocessed, as RPD already started, and you will lose connectivity to the original node. Same thing happens if you switch over and switch back.

Re: Unable to ping secondary node on SRX3600 cluster

Offcourse I assumed that fxp interfaces of both nodes have different management IP, so I did not mention it. The backup-router statement is the key. The third step you mention is for the subnets whose routing is not through inband interfaces of firewall, which is mostly not the case.

Re: Unable to ping secondary node on SRX3600 cluster

...The third step you mention is for the subnets whose routing is not through inband interfaces of firewall, which is mostly not the case.

Yes, the primary use of 'retain' and 'no-readvertise' flags is for routes out the OOB management interface (fxp0). These are the same routes as used by backup-router destination. (backup-router destinations may be a subset, if you have a lot of these).

I listed them as part of the 'backup-router' checklist because they're important for the end goal: management of the secondary node of an SRX cluster (or any backup-routing engine on any JunOS platform: EX8208, XRE, M/MX, etc).

If you don't have these routes, you will lose connectivity to the (new) standby node after a cluster switchover. IMPO, if you're configuring backup router statements, unique IP addresses per node on fxp0, and omit the management routes with 'retain' flag, you're doing 95% of a complete solution and then missing the 32 yard field goal in the last 15 seconds of the game.